Trident SAM Crypto Token Properties
TridentSAMCryptoToken implements the Trident SAM and requires access to Trident QSCD.
Once configured, it can be used to create remote signatures on behalf of the users. The TridentSAMCryptoToken can be attached to any Signer implementation.
TridentSAMCryptoToken can be operated in 2 modes:
- Signing-only mode: To support only remote signing operations (the user and key management is handled by different component in the solution)
- Key Management mode: To support signing, user, and key management operations (in this case, it is a single point of SAM key management)
- User Management mode: To suppord additional user management functions, such as create user, configure authorization, or remove user.
The implementation class of the TridentSAMCryotoToken Worker is:
com.czertainly.signserver.trident.TridentSAMCryptoToken
The Worker seamlessly integrates with the Trident SAM interface. The TridentSAMCryptoToken Worker will check the following configuration properties.
Signing-only mode
| Property | Description | Default Value | Mandatory |
|---|---|---|---|
| TRIDENT_URL | URL to access the Trident SAM. | NONE | YES |
| TRIDENT_CEISK | Infrastructural certificate for encryption, represented as PEM encoded string. | NONE | YES |
| TRIDENT_CSISK | Infrastructural certificate for digital signature, represented as PEM encoded string. | NONE | YES |
| CERT_STORAGE_IMPLEMENTATION_CLASS | Implementation class for certificate storage. Certificates issued for assigned signing keys will be stored according the implementation provided. Each implementation may have additional properties that needs to be configured. | NONE See Certificate Storage Providers for more information. | YES |
| SAP_PROVIDER_IMPLEMENTATION_CLASS | Implementation class for Signature Activation Protocol handling between the Signature Integration Component and the Signature Activation Module. This is the interface for providing the Signature Activation Data to be used in order to execute signing operation. | NONE See Signature SAP Providers for more information. | YES |
Key Management mode
For the Key Management mode, the same properties as for the Signing-only mode must be configured. Additional properties are defined in order to support the management of the users and assigned keys. The following properties are optional for the Signing-only mode, but mandatory for Key Management mode:
| Property | Description | Default Value | Mandatory |
|---|---|---|---|
| TRIDENT_KEY_ADMIN | Identification of the key administrator. | NONE | NO |
| TRIDENT_KEY_ADMIN_PASSWORD | Password associated with the key administrator. | NONE | NO |
| TRIDENT_KEY_ADMIN_TOTP_SEED | TOTP seed associated with the key administrator, in HEX format. | NONE | NO |
| TRIDENT_KEY_ADMIN_TOTP_STEP | TOTP step for generating correct codes for TOTP authentication. TOPS step is represented in seconds. | NONE | NO |
| TRIDENT_KEY_ADMIN_TOTP_REFRESH_INTERVAL | Refresh interval of the key administrator session based on the TOTP authentication. Interval is represented in number of seconds. | NONE | NO |
| KM_SAP_PROVIDER_IMPLEMENTATION_CLASS | Implementation class for the key management operations handling through the Signature Activation Protocol. This interface provides ability for user to activate and manage assigned private keys. | NONE See Key Management SAP Providers for more information. | NO |
| TRIDENT_KEYGEN_MDOE | Mode of the key generation based on the configuration of the Trident HSM. Allowed values are:
| NONE | YES |
MANUAL and HYBRID key generation
In order to enable MANUAL or HYBRID key generation mode, additional configuration properties must be available. These are not mandatory in case of AUTO key generation mode:
| Property | Description | Default Value | Mandatory |
|---|---|---|---|
| TRIDENT_CM_URL | URL to access the Trident CM API. | NONE | NO |
| TRIDENT_CM_ADMIN_UID | Identification of the CM administrator. | NONE | NO |
| TRIDENT_CM_ADMIN_PASSWORD | Password associated with the CM administrator. | NONE | NO |
| TRIDENT_CM_ADMIN_SESSION_REFRESH_INTERVAL | Refresh interval of the CM administrator session. Interval is represented in number of seconds. | NONE | NO |
User Management Mode
User Management mode is an extension of the Key Management mode allowing you to manage SAM users. The Key Management Mode must be configured in order to use the User Management mode. This mode allows you to manage users independently of the key management operations. The following properties are optional for other modes, but mandatory for User Management mode:
| Property | Description | Default Value | Mandatory |
|---|---|---|---|
| UM_SAP_PROVIDER_IMPLEMENTATION_CLASS | Implementation class for the user management operations handling through the Signature Activation Protocol. This interface provides ability to manage users and the authorisation configuration. | NONE See User Management SAP Providers for more information. | NO |